mbox series

[v5,00/12] Integrate EFI capsule tasks into u-boot's build flow

Message ID 20230725085725.350917-1-sughosh.ganu@linaro.org
Headers show
Series Integrate EFI capsule tasks into u-boot's build flow | expand

Message

Sughosh Ganu July 25, 2023, 8:57 a.m. UTC
This patchset aims to bring two capsule related tasks under the u-boot
build flow.

One is the embedding of the public key into the platform's dtb. The
public key is in the form of an EFI Signature List(ESL) file and is
used for capsule authentication. This is being achieved by adding the
signature node containing the capsule public key in the architecture's
u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for
the sandbox and arm architectures. The path to the ESL file is being
provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE).

Changes have also been made to the test flow so that the keys used for
signing the capsule, and the ESL file, are generated prior to invoking
the u-boot's build, which enables embedding the ESL file into the dtb
as part of the u-boot build.

The other task is related to generation of capsules. Support is being
added to generate capsules by specifying the capsule parameters in a
config file. Calling the mkeficapsule tool then results in generation
of the corresponding capsule files. The capsules can be generated as
part of u-boot build, and this is being achieved through binman, by
adding a capsule entry type. The capsules can be generated either by
specifying the capsule parameters in a config file, or through
specifying them as properties under the capsule entry node. If using
the config file, the path to the config file is to be specified
through a Kconfig symbol(CONFIG_EFI_CAPSULE_CFG_FILE).

Changes have also been made to the efi capsule update feature testing
setup on the sandbox variants. Currently, the capsule files and the
public key ESL file are generated after u-boot has been built. This
logic has been changed so that the capsule input files along with the
keys needed for capsule signing and authentication are generated prior
to initiation of the u-boot build. The placement of all the files
needed for generation of capsules, along with the generated capsule
files is under the /tmp/capsules/ directory.

Currently, the capsule update feature is tested on the sandbox
and sandbox_flattree variants in CI. The capsule generation through
config file is enabled for the sandbox variant, with the
sandbox_flattree variant generating capsules through the command-line
parameters.

The document has been updated to reflect the above changes.

Changes since V4:
* Rebase on top of current HEAD.
* Pass the single command target names directly to the function
  instead of putting them in a separate list.
* Fix multi line comment format.
* Drop additional blank line.
* Remove the check for CONFIG_EFI_HAVE_CAPSULE_SUPPORT from arm's
  u-boot.dtsi.
* Wrap the help text in the EFI_CAPSULE_ESL_FILE config at 72 chars.
* New patch which moves the setting up of the files needed for testing
  the EFI capsule update feature to the Dockerfile.
* Remove blank lines after function comments.
* Fix a couple of typos.
* Use single quotes for strings.
* Put the GUIDs in variables with relevant names.
* Declare certain values in local variables instead of member values.
* Add comments for explaning the payload offsets in the capsule file.
* Drop the test case for generating the capsule from the config
  file.
* Define payload data for the capsule tests.
* Add logic to find input and output files in capsule generation in
  the indir and outdir directories when absolute path is not passed.
* Use a relative path for CONFIG_EFI_CAPSULE_CFG_FILE.
* Remove logic to copy capsule config file to /tmp/capsules/
  directory, as the capsule entry can handle relative paths.
* Add a comment in the capsule config file for the image GUIDs being
  used.
* Use lower case for image GUIDs.
* Define macros for the image GUIDs being used for generating the
  capsules.
* Use lower case for image GUIDs.


Sughosh Ganu (12):
  binman: bintool: Build a tool from a list of commands
  nuvoton: npcm845-evb: Add a newline at the end of file
  capsule: authenticate: Add capsule public key in platform's dtb
  doc: capsule: Document the new mechanism to embed ESL file into dtb
  tools: mkeficapsule: Add support for parsing capsule params from
    config file
  Dockerfile: capsule: Setup the files needed for capsule update testing
  binman: capsule: Add support for generating capsules
  doc: Add documentation to highlight capsule generation related updates
  test: py: Setup capsule files for testing
  test: capsule: Remove public key embed logic from capsule update test
  sandbox: capsule: Add a config file for generating capsules
  sandbox: capsule: Generate capsule related files through binman

 arch/arm/dts/nuvoton-npcm845-evb.dts          |   2 +-
 arch/arm/dts/u-boot.dtsi                      |  14 +
 arch/sandbox/dts/u-boot.dtsi                  | 288 ++++++++++++++
 configs/sandbox_defconfig                     |   3 +
 configs/sandbox_flattree_defconfig            |   1 +
 configs/sandbox_spl_defconfig                 |   1 +
 doc/develop/uefi/uefi.rst                     | 106 +++++-
 lib/efi_loader/Kconfig                        |   9 +
 lib/efi_loader/Makefile                       |   7 +
 test/py/conftest.py                           |  84 +++++
 test/py/tests/test_efi_capsule/conftest.py    | 164 +-------
 .../test_efi_capsule/sandbox_capsule_cfg.txt  | 175 +++++++++
 test/py/tests/test_efi_capsule/signature.dts  |  10 -
 .../tests/test_efi_capsule/uboot_bin_env.its  |  36 --
 tools/Kconfig                                 |  16 +
 tools/Makefile                                |   1 +
 tools/binman/bintool.py                       |  19 +-
 tools/binman/btool/mkeficapsule.py            | 153 ++++++++
 tools/binman/entries.rst                      |  42 +++
 tools/binman/etype/capsule.py                 | 132 +++++++
 tools/binman/ftest.py                         | 115 ++++++
 tools/binman/test/307_capsule.dts             |  19 +
 tools/binman/test/308_capsule_signed.dts      |  21 ++
 tools/binman/test/309_capsule_version.dts     |  20 +
 tools/binman/test/310_capsule_missing_key.dts |  20 +
 .../binman/test/311_capsule_missing_index.dts |  18 +
 .../binman/test/312_capsule_missing_guid.dts  |  17 +
 .../test/313_capsule_missing_payload.dts      |  18 +
 tools/binman/test/314_capsule_missing.dts     |  18 +
 tools/binman/test/files/capsule_cfg.txt       |   6 +
 tools/docker/Dockerfile                       |  12 +
 tools/eficapsule.h                            | 115 ++++++
 tools/mkeficapsule.c                          |  87 +++--
 tools/mkeficapsule_parse.c                    | 352 ++++++++++++++++++
 34 files changed, 1845 insertions(+), 256 deletions(-)
 create mode 100644 arch/arm/dts/u-boot.dtsi
 create mode 100644 arch/sandbox/dts/u-boot.dtsi
 create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
 delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
 delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
 create mode 100644 tools/binman/btool/mkeficapsule.py
 create mode 100644 tools/binman/etype/capsule.py
 create mode 100644 tools/binman/test/307_capsule.dts
 create mode 100644 tools/binman/test/308_capsule_signed.dts
 create mode 100644 tools/binman/test/309_capsule_version.dts
 create mode 100644 tools/binman/test/310_capsule_missing_key.dts
 create mode 100644 tools/binman/test/311_capsule_missing_index.dts
 create mode 100644 tools/binman/test/312_capsule_missing_guid.dts
 create mode 100644 tools/binman/test/313_capsule_missing_payload.dts
 create mode 100644 tools/binman/test/314_capsule_missing.dts
 create mode 100644 tools/binman/test/files/capsule_cfg.txt
 create mode 100644 tools/mkeficapsule_parse.c